stealthcopter / deepce Goto Github PK

would it be possible for the script to undo an exploit after performing it?

Use case: I want to run deepce on all my production containers to test if they are exploitable but don't want it to litter them all

Currently we scan for other containers on the container network but we should scan for devices on the local network (if found to be different to the container network)

Sometimes the hardrives and hardware can give away information about what type of host we're running on, add an option to list these (maybe not by default as it could be too noisy)

While running the docker wrapper, the following error was observed while enumerating a BusyBox instance.

[+] Interesting files in root ........... No
grep: unrecognized option: exclude=deepce.sh
BusyBox v1.31.1 () multi-call binary.

Usage: grep [-HhnlLoqvsriwFE] [-m N] [-A/B/C N] PATTERN/-e PATTERN.../-f FILE [FILE]...

Search for PATTERN in FILEs (or stdin)

	-H	Add 'filename:' prefix
	-h	Do not add 'filename:' prefix
	-n	Add 'line_no:' prefix
	-l	Show only names of files that match
	-L	Show only names of files that don't match
	-c	Show only count of matching lines
	-o	Show only the matching part of line
	-q	Quiet. Return 0 if PATTERN is found, 1 otherwise
	-v	Select non-matching lines
	-s	Suppress open and read errors
	-r	Recurse
	-i	Ignore case
	-w	Match whole words only
	-x	Match whole lines only
	-F	PATTERN is a literal (not regexp)
	-E	PATTERN is an extended regexp
	-m N	Match up to N times per file
	-A N	Print N lines of trailing context
	-B N	Print N lines of leading context
	-C N	Same as '-A N -B N'
	-e PTRN	Pattern to match
	-f FILE	Read pattern from file
[+] Passwords in common files ........... No

Cheers

the curl command in the docs need the -L option to follow the redirect:
curl -sL https://github.com/stealthcopter/deepce/raw/master/deepce.sh -o deepce.sh

Detect if docker is rootless, because priv esc wont work then.

Move the virtual machine into it's own branch in order not to dirty the main branch, as the master branch should contain the code and tests.

Similar to the docker group priv esc, add a lxd group priv esc.

Currently a sleep 2 is introduced betfore attempting to enumerate the network. This was needed to ensure that the network finished setting up for newly run containers. This only really affects the testing scripts as normal containers would already have networks setup and running by time script is run, so the sleep should be removed so normal users aren't slowed down.

Hello,

I tried installing the tool on my MacBook and I got this err cmd/gorsair.go:68:18: assignment mismatch: 2 variables but scanner.Run returns 3 values. I looked at the code block and noticed the potential issue:

	results, err := scanner.Run()
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

I changed it to handle 3 outputs. I am only creating it here rather than apool request bc I wasn't sure if it would break anything

	results, _, err := scanner.Run()
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

Minor issue but the alignment of the dots is off on this:

[+] Alpine Linux Version ...... 3.5.3
[+] CVE-2019-5021 Vulnerable .. Yes

When deepce.sh searches for secrets it should ignore it's own file to avoid spitting out the shell script

Hello,

I see the steps on TryHackMe says to
use linux/local/lxc_privilege_escalation

However, when I search for the exploit I see it's labelled as "exploit/linux/local/lxc_privilege_escalation" Is this a problem?

Hi,

I'm just blindly following your documentation and I'm having trouble on the second task.

ubuntu@deepce:~$ docker cp /opt/deepce/deepce.sh alpine-container_name:/
ubuntu@deepce:~$ docker alpine-container_name exec /deepce.sh
docker: 'alpine-container_name' is not a docker command.
See 'docker --help'
ubuntu@deepce:~$ 

What am I doing wrong??

I know alpine-container_name Isn't the same. I changed it because I didn't want to give away an answer.

in the help message:

Users in the docker group can escalate to root on the host by mounting the host partition inside the container and chrooting into it.\ndeepce.sh -e DOCKER\nSee https://stealthcopter.github.io/deepce/guides/docker-group.md

The issued grep command to find out the the listening port of ssh (https://github.com/stealthcopter/deepce/blob/master/deepce.sh#L564) has a wrong order of arguments as the man page says: grep [OPTION...] PATTERNS [FILE...].

diff --git a/deepce.sh b/deepce.sh
index d96ec37..99eae3e 100755
--- a/deepce.sh
+++ b/deepce.sh
@@ -561,7 +561,7 @@ containerServices() {
   # shellcheck disable=SC2181
   if [ $? -eq 0 ]; then
     if [ -f "/etc/ssh/sshd_config" ]; then
-      sshPort=$(grep /etc/ssh/sshd_config  "^Port" || echo "Port 22" | cut -d' ' -f2)
+      sshPort=$(grep "^Port" /etc/ssh/sshd_config || echo "Port 22" | cut -d' ' -f2)
       printSuccess "Yes (port $sshPort)"
     else
       printSuccess "Yes"

Hi

I downloaded the script as outlined in your README using "wget https://github.com/stealthcopter/deepce/raw/master/deepce.sh"

When trying to run the script, I get "bash: ./deepce.sh: Permission denied"

Please help

When running all the tests the docker-alpine-payload-new-root-user test adds a new root user to the system, but doesn't remove it afterwards. This is probably fine for automated tests where the environment disappears afterwards, but presents a serious security risk from unsuspecting users running it on their own machines.

I'm having a problem with "exploits/linux/local/lxc_privilege_escalation" are you able to help?

msf5 exploit(multi/handler) > use exploit/linux/local/lxc_privilege_escalation
[*] Using configured payload linux/x64/exec
msf5 exploit(linux/local/lxc_privilege_escalation) > set session 1
session => 1
msf5 exploit(linux/local/lxc_privilege_escalation) > set CMD cat /etc/passwd
CMD => cat /etc/passwd
msf5 exploit(linux/local/lxc_privilege_escalation) > set AutoDeleteContainer true
AutoDeleteContainer => true
msf5 exploit(linux/local/lxc_privilege_escalation) > run

[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. There are no local images we can use, please download an image such as alpine or ubuntu.
[*] Using base image 
[*] Writing payload executable to '/tmp/slCLSPJBaRm'
[*] Executing script to create and run LXC container
[*] Creating container
[*] Adding mount to container
[*] Starting container
[*] Executing payload inside container
[*] error: not found
[*] Removing container (IIjqwvjad)
[*] error: not found
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/lxc_privilege_escalation) > 

For example call /opt/deepce/docker-wraper.sh and the script will fail as it will look in current dir for the script instead of the correct path.

Capabilities such as CAP_SYS_MODULE allow for escapes.
It would be nice if the script ran capsh --print or similar and highlighted dangerous permissions, possibly with descriptions or links for found dangerous permissions.

https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities
https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout#container-capabilities

It's not clear what the all the different text colors signify, can you add a table or something to describe them like linPEAS does?

Some developers leave Dockerfiles inside their containers, lets look for them :)

metasploit@deepce:~$ ./start_vulnerable_docker.sh
Starting a vulnerable docker instances
Starting: privileged-ubuntu-5555

• Privileged container to escape
• Meteperter is running on port 5555
  5ec76862ff7682695d87fae5c221b80733d2d2b2e16d3e61ce75bf604e277137

Use metasploit to connect to this container and perform a container escape
7ab3d7d7fab7dbc981a197983f6a59442271636d5cca8c25ab8f10668af363c7
\nDone deepce{I bet this is a secret}
metasploit@deepce:~$